From owner-freebsd-hackers@FreeBSD.ORG  Tue Jan 23 13:10:40 2007
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 8F7AE16A400
	for <freebsd-hackers@freebsd.org>; Tue, 23 Jan 2007 13:10:40 +0000 (UTC)
	(envelope-from max@love2party.net)
Received: from moutng.kundenserver.de (moutng.kundenserver.de
	[212.227.126.171])
	by mx1.freebsd.org (Postfix) with ESMTP id 1C33113C467
	for <freebsd-hackers@freebsd.org>; Tue, 23 Jan 2007 13:10:40 +0000 (UTC)
	(envelope-from max@love2party.net)
Received: from [88.64.187.246] (helo=amd64.laiers.local)
	by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis),
	id 0MKwtQ-1H9LPx0spJ-0007mB; Tue, 23 Jan 2007 14:10:32 +0100
From: Max Laier <max@love2party.net>
Organization: FreeBSD
To: freebsd-hackers@freebsd.org
Date: Tue, 23 Jan 2007 14:10:19 +0100
User-Agent: KMail/1.9.5
References: <082f01c73ee3$c6b3f810$970da8c0@jam.zenon.net>
In-Reply-To: <082f01c73ee3$c6b3f810$970da8c0@jam.zenon.net>
X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGd<hB5S>u+2];
	R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1579798.YI70Pe6SDu";
	protocol="application/pgp-signature"; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200701231410.25946.max@love2party.net>
X-Provags-ID: kundenserver.de abuse@kundenserver.de
	login:61c499deaeeba3ba5be80f48ecc83056
Cc: "Andrew N. Below" <defan@zenon.net>
Subject: Re: how to deny reading of several sysctls (for a set of uids, f.e.)
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2007 13:10:40 -0000

--nextPart1579798.YI70Pe6SDu
Content-Type: text/plain;
  charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Tuesday 23 January 2007 12:44, Andrew N. Below wrote:
> System - RELENG_6.
>
> Easiest way I found is to patch libc.
> But in this case we still can get an original library and use
> LD_PRELOAD.
>
> Is there any way to obtain uid of calling process (thread?)
> within the kernel?
>
> We have following extern in src/lib/libc/gen/sysctl.c:
> [..]
> extern int __sysctl(int *name, u_int namelen, void *oldp, size_t
> *oldlenp, void *newp, size_t newlen);
> [..]
>
> And there is __sysctl (src/sys/kern/kern_sysctl.c):
>
> [..]
> /*
>  * MPSAFE
>  */
> int
> __sysctl(struct thread *td, struct sysctl_args *uap)
> [..]
>
> 1. Whether this function is called from libc sysctl() ?
>
> 2. What can we get from td here? My knowledge about FreeBSD kernel
> and kernel threads is not yet enough for understanding this.

td->td_proc->p_ucred has the user credentials.  You probably want to do=20
your checks in userland_sysctl() according to the comment just above.

> I also thought about passing control variable from libc
> to kernel, but it seems to be bad idea.
>
> Any other ways?

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart1579798.YI70Pe6SDu
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQBFtglBXyyEoT62BG0RApg3AJwIbm10Z5FzGgf7LB0rCRNjBAjdjACdE9Zz
owIr66gd37/k8kx1WHsvAOE=
=+aSz
-----END PGP SIGNATURE-----

--nextPart1579798.YI70Pe6SDu--